9b85a9
From dba153a54183187d16cb983d269516930c555ad8 Mon Sep 17 00:00:00 2001
9b85a9
Message-Id: <dba153a54183187d16cb983d269516930c555ad8@dist-git>
9b85a9
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
9b85a9
Date: Wed, 15 May 2019 21:40:56 +0100
9b85a9
Subject: [PATCH] admin: reject clients unless their UID matches the current
9b85a9
 UID
9b85a9
MIME-Version: 1.0
9b85a9
Content-Type: text/plain; charset=UTF-8
9b85a9
Content-Transfer-Encoding: 8bit
9b85a9
9b85a9
The admin protocol RPC messages are only intended for use by the user
9b85a9
running the daemon. As such they should not be allowed for any client
9b85a9
UID that does not match the server UID.
9b85a9
9b85a9
Fixes CVE-2019-10132
9b85a9
9b85a9
Reviewed-by: Ján Tomko <jtomko@redhat.com>
9b85a9
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
9b85a9
(cherry picked from a private commit)
9b85a9
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
9b85a9
Message-Id: <20190515204058.28077-2-berrange@redhat.com>
9b85a9
---
9b85a9
 src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
9b85a9
 1 file changed, 22 insertions(+)
9b85a9
9b85a9
diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
9b85a9
index b78ff902c0..9f25813ae3 100644
9b85a9
--- a/src/admin/admin_server_dispatch.c
9b85a9
+++ b/src/admin/admin_server_dispatch.c
9b85a9
@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
9b85a9
                    void *opaque)
9b85a9
 {
9b85a9
     struct daemonAdmClientPrivate *priv;
9b85a9
+    uid_t clientuid;
9b85a9
+    gid_t clientgid;
9b85a9
+    pid_t clientpid;
9b85a9
+    unsigned long long timestamp;
9b85a9
+
9b85a9
+    if (virNetServerClientGetUNIXIdentity(client,
9b85a9
+                                          &clientuid,
9b85a9
+                                          &clientgid,
9b85a9
+                                          &clientpid,
9b85a9
+                                          &timestamp) < 0)
9b85a9
+        return NULL;
9b85a9
+
9b85a9
+    VIR_DEBUG("New client pid %lld uid %lld",
9b85a9
+              (long long)clientpid,
9b85a9
+              (long long)clientuid);
9b85a9
+
9b85a9
+    if (geteuid() != clientuid) {
9b85a9
+        virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
9b85a9
+                                 (long long)clientpid,
9b85a9
+                                 (long long)clientuid);
9b85a9
+        return NULL;
9b85a9
+    }
9b85a9
 
9b85a9
     if (VIR_ALLOC(priv) < 0)
9b85a9
         return NULL;
9b85a9
-- 
9b85a9
2.21.0
9b85a9